FROM OUR MANAGING PARTNERFall 2017 Newsletter

STEPHEN L. GOLAN

Managing Partner

FROM OUR MANAGING PARTNERFall 2017 Newsletter

As another year nears its end, we at Golan Christie Taglia would like to take a moment to express our gratitude to you for entrusting us with your personal and business concerns. We recognize that you are the reason for our success. That is why we will continue to be diligent in the work that we do for you. This issue of our newsletter has information that we feel is important, and will assist you as you plan for the coming year, such as:

HOW TO PROTECT YOUR BUSINESS FROM CYBERATTACKSBeverly Berneman outlines the multiple strategies hackers use to steal valuable business and consumer data; and provides insight about preventive steps your business can take to secure your technology infrastructure and the information stored within it

APPLICATION PROCESS CHANGES AND BIPO COMPLIANCE
Many employers in California will need to be aware of two laws becoming effective on January 1, 2018. Learn about these imminent prohibitions that will change the application process, and how to prepare for them. And, if your business utilizes biometric data, find out what you should know to avoid potential noncompliance.

WHO'S MANAGING YOUR RETIREMENT PLAN?
Retirement plans can be confusing for private employers who have little or no expertise in managing investments. Andrew S. Williams reminds us that the U.S. Department of Labor holds in-house fiduciaries responsible for monitoring performance, and discusses the alternatives to consider.

In addition, we are pleased to announce that Taylor J. Feldman has joined our firm. His practice will focus on corporate law and governance, mergers and acquisitions, and commercial real estate. Please join me in welcoming Taylor. From all of us at Golan Christie Taglia, we send warm wishes for a holiday season that is happy, safe, and prosperous. As always, we are here to support you and all you hold dear.

Stephen L. Golan

INTELLECTUAL PROPERTYWhat Can a Business Do to Safeguard Against Cyberattacks?

BEVERLY A. BERNEMAN

Partner

Nearly 43% of hacking attacks affect small businesses, 60% of which go out of business within 6 months.

INTELLECTUAL PROPERTYWhat Can a Business Do to Safeguard Against Cyberattacks?

Cyberattacks are in the news almost every day. Hackers are constantly on the lookout for data to steal—personal information, financial records, intellectual property, or whatever valuable data they can get. They can use the purloined data to steal money from bank accounts or to set up credit cards, or they may simply sell the personal information to a third party. Recent statistics show nearly 43% of
hacking attacks happen to small businesses. Even worse, 60% of small businesses that experience an attack go out of business within 6 months. But businesses can minimize vulnerability and consequences from cyberattacks.

Understanding the different types of cyberattacks helps develop strategies to protect against them.

Weak Passwords: Using one password for all logins gives hackers easy access to multiple digital venues containing personal and sensitive business information. With a low-cost graphics card, a hacker can run billions of eight-character passwords in a minute. The hacker can be successful less than 1% of the time and still gain access to a staggering amount of data.

Phishing Emails: These emails look like they come from an official source from inside or outside the company. They can come in different types. The first type directs the user to a doppelganger website and prompts the user to enter the user’s password. Then the hacker can access the official website using the password. The second type looks like an official workplace email that directs the user to accomplish a task.

Social Engineering: This encompasses a wide range of hacking techniques. One technique is for the hacker to pretend to be the user and force a reset of the password. Another is for the hacker to gain access to the user’s social media and create a twin account. Once the hacker has access to the original account, the hacker then has access to the information belonging to the user’s followers, friends, and contacts. The hacker can even use the twin account to gain access to credit card or banking information by offering a product or service that seems to come from the user.

Ransomware: Hackers hold a website hostage until the owner of the website pays a ransom. Paying the ransom doesn’t always unlock the website.

The Next Hacker Innovation: Hackers spend a lot of time and effort in navigating through barriers. Even before a type of cyberattack loses its effectiveness, hackers are on to developing the new technologies for cyberattacks.

But there are some measures a business can take to curtail its vulnerability, including:

Conduct a security audit. Have a professional look at your technology infrastructure at all levels including e-storage, desktop computers, and other personal devices used by your employees.

Don’t store more customer information than you really need. For example, if the business doesn’t need credit card information, there’s no reason to ask for it in the first place. If you do ask for information that is no longer relevant, set up a system to purge the information from your e-storage.

Use cybersecurity software and keep it up to date. When one door is closed, a hacker will find another door or a window to get to information. Up-to-date cybersecurity software is designed to close the doors and windows.

Train your employees to frustrate attacks. Security breaches often occur because employees unintentionally give sensitive information to a hacker disguised as a reputable contact, or they click on a malicious link. Even the most vigilant employee can get caught unaware. Give your employees the information they need to look out for, and avoid, potential threats. For example, creating strong passwords, being suspicious of links from unknown sources, being careful about the use of social media, and questioning unusual directives from a seemingly trusted source. Mobile employees should be careful about using free Wi-Fi networks such as in airports, coffee shops, and even on commuter trains.

Encrypt sensitive data. Encryption can thwart data theft. For instance, if the data is on a thumb drive that is lost or stolen, whoever accesses it won’t be able to read it.

Get cybersecurity insurance. General business insurance doesn’t automatically cover data breaches. Cybersecurity insurance is becoming more and more available. Cybersecurity insurance will cover most costs that result from hacking.

Use virtual data rooms. A virtual data room is an online storage that only allows access to those who have the proper credentials. The virtual data room is a good place to store trade secrets, financial information, and other confidential information.

Nothing is foolproof when it comes to protecting against hackers, but with careful planning and diligence, a business can take many positive steps to frustrate cyberattacks.

Consider a typical retirement plan sponsored by a private employer. The employer is a fiduciary to the plan, along with individual employees who serve as trustees or members of the plan’s investment or retirement committee. When the employer has an outside investment manager, are the employer’s in-house fiduciaries off the hook?

A recent federal district court decision, Perez v. WPN Corp, et al., elaborates on what in-house fiduciaries are required to do in exactly this situation. The lawsuit, originally filed in 2014 by the U.S. Department of Labor (DOL) following an audit, sought to correct fiduciary breaches by the plans' investment manager and plan administrator, which caused the plans to sustain losses and lost earnings in excess of $7 million. According to the press release from the U.S. DOL, “This case underscores the department's commitment to hold fiduciaries accountable when we believe they have failed to meet their obligation to protect plan assets.” In a June 2017 opinion denying a motion to dismiss, the court held that plan fiduciaries who appoint the investment manager are still responsible for “monitoring” the investment manager’s performance. This duty includes adopting routine monitoring procedures, following those procedures, reviewing the results of the monitoring procedures and, most important, taking any action required to correct any performance deficiencies of the investment manager.

So, whether you pick an investment advisor to act as a co-fiduciary, or an investment manager to make all the decisions on plan investments, in-house fiduciaries still need to review the conduct of these professionals and take action when necessary.

There are a number of steps you might take to protect plan fiduciaries from liability. One thing you might consider is engaging an investment advisor to act as a co-fiduciary along with the in-house staff responsible for the plan. But let’s say you take another step and engage an “investment manager” to take on all responsibility for plan investments. In this case, the hired investment manager actually makes all decisions about plan investment and, as a “discretionary” advisor, only notifies the employer afterwards as to specific investment transactions.

Takeaways:

There’s no risk-free way to put your retirement plan on autopilot. Having quality service providers is a good idea but they cannot relieve you, your company, or your other in-house fiduciaries from all responsibility for investment and administrative decisions.

Some financial advisory firms charge extra to act as investment managers. You may find that the “extra protection” afforded by this arrangement is not really worth the additional expense.

Consider other alternatives to mitigate fiduciary liability. This may include steps like adopting a suitable investment policy statement or obtaining fiduciary insurance. For additional suggestions, contact an employee benefits attorney.

New Laws for California Employers

LAURA A. BALSON

Partner

MARGARET A. GISCH

Partner

New Laws for California Employers

Starting January 1, 2018, private-sector employers in California will be mandated to follow the so-called “ban the box” laws already in place in nine states, and for public-sector employers throughout the country. This law bars employers from requesting criminal conviction histories during the application process and before a conditional offer is made. An employer may run a background check after an offer has been made, and revoke the offer with appropriate evaluation of the conviction and open communication with the candidate about the reason the offer has been revoked. The goal is to provide an equal opportunity for those with a criminal record to be judged solely on their qualifications. Any company with employees or applicants in California should review their job application forms now, to remove any questions about criminal background.

Also by January 1, 2018, Californian employers will have to adjust to another change: a new law, called the Salary Privacy Act, bars employers from requesting the pay history of job applicants (though employers may consider salary history information that an applicant voluntarily offers). Furthermore, employers are obligated to provide, if requested, the position’s pay scale. An increasing number of cities and states prohibit employers from asking for salary histories in the application and interview process. Advocates of the new law argue that it is aimed at eliminating wage discrimination.

If you have any questions or concerns about applying these new rules and how they affect your company, please contact an employment attorney at Golan Christie Taglia.

Using Biometric Data May Cost Employers Big Dollars

Using Biometric Data May Cost Employers Big Dollars

In times when fingerprints and other biometric data are routinely used for menial tasks, e.g., to check text messages and tag friends in social media posts, it is hard to believe the use of biometric material may lead to a lawsuit. In response to growing concerns of identity theft, in 2008, the Illinois General Assembly passed the Biometric Information Privacy Act (“BIPO”). The BIPO restricts businesses’ collection, storage, and disclosure of personal biometric information. Biometric data includes retina and iris scans, fingerprints, voiceprints, handprints, and face geometry. Illinois employers must be hyper-diligent about BIPO compliance, as Illinois is the only state that allows a private cause of action and attorneys’ fees for violations.

In the wake of heightened time-keeping scrutiny under the Fair Labor Standards Act, it has become common practice for employers to scan employee fingerprints into a company database upon hire, and instruct employees to use their fingerprints to punch in and out for shifts and log break periods. BIPO litigation is on the rise. Class-action plaintiffs are pouncing on the opportunity to turn seemingly innocuous time-keeping procedures into big dollars.

On October 10, 2017, another BIPO complaint was filed in the Circuit Court of Cook County—nearly a dozen have been filed in the last six months. The named plaintiff sued her former employer for use of fingerprints for time-tracking purposes. The plaintiff, who was only employed from July 10 until August 28, claims her employer failed to collect written authorization from employees before collecting fingerprint scans, failed to inform employees how long fingerprint scans were retained after employment, and failed to explain how electronic records are destroyed. The lawsuit, like other BIPO class actions, seeks statutory damages of $1,000.00 to $5,000.00 per violation plus attorneys’ fees. This is likely the beginning of a growing trend in BIPO class-action litigation. Employers, especially larger employers, should be mindful of BIPO and consider internal audits to uncover any potential areas of noncompliance.

AnnouncementsGolan Christie Taglia Welcomes Newest Attorney

AnnouncementsGolan Christie Taglia Welcomes Newest Attorney

Golan Christie Taglia welcomes Taylor J. Feldman to our firm. His practice will focus on corporate law and governance, mergers and acquisitions, and commercial real estate. Mr. Feldman received a B.B.A. with a concentration in finance and marketing from the University of Miami in Coral Gables, Florida, and a J.D. from Loyola University Chicago School of Law, where he also obtained his certificate in taxation law. While attending law school, he worked at Loyola’s Business Law Clinic, where he helped represent entrepreneurs and small business owners as well as individuals who sought legal assistance with not-for-profit organizations. Taylor is a native Coloradan who enjoys outdoor activities such as hiking, fly fishing, and skiing. We are pleased to have him join our team, and look forward to watching him grow with us!